Hello,
This one is either detected as Zeus or Fareit by AV (because of the /gate.php...?). However, the host and network profiles/behavior do not match either, as far as I know. I used Yara to help with this and still no luck. It is somehow similar to sid:41442 yet different. So I went ahead and called it "Isg" based on the HTTP responses. Please feel free in naming this one, or if any has seen this traffic before, please do let us know.
Additional details and pcaps are available.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MLAWARE-CNC Win.Trojan.Isg getconfig request"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; fast_pattern:only; http_uri; content:"WebKitFormBoundary"; http_header; content:"|20|form-data|3B 20|name=|22|getconfig|22|"; content:"Referer|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000851; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Isg getconfig response"; flow:to_client,established; file_data; content:"IS_G_PWDS:"; content:"IS_G_DOUBLE:"; content:"IS_G_BROWSERS:"; content:"IS_G_COINS:"; content:"IS_G_SKYPE"; content:"IS_G_STEAM:"; content:"IS_G_DESKTOP"; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000852; rev:1;)
Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170222/2e76539f/attachment.html>